Server Message Block (SMB) is a ubiquitous protocol used for file sharing, remote access, and resource management across enterprise networks. While critical for business operations, its misconfigurations can expose vulnerabilities to attackers. In this blog post, we’ll dive into a real-world red team operation where a simple yet effective PowerShell-based tool led us from SMB enumeration to full network takeover.
Meet SMB: The Network's Sharing Protocol
Before we get into the technical details, let’s examine briefly at what SMB is and why it’s so important.
The Server Message Block (SMB) protocol, also known as Common Internet File System (CIFS), enables users and devices on a network to share files and access resources like printers and drives seamlessly. It's widely used in Windows environments but is also supported by macOS, Linux, and other platforms.
However, SMB also comes with its own set of challenges:
Default and Overly-Permissive Configurations: Shares with "Everyone" or "Domain Users" permissions can expose sensitive files to unintended parties.
Weak or Mismanaged Authentication: Default credentials or improperly managed accounts can give unauthorized users access.
High Exploitation Potential: SMB has been targeted by numerous exploits, including the infamous EternalBlue (CVE-2017-0144) used in the WannaCry ransomware attack.
The Engagement: A Red Team's Tale
This story starts with a typical network security assessment. The client had an expansive internal network with hundreds of hosts. Our task was to identify potential security gaps. During our reconnaissance phase, we turned to SMB as a potential attack vector.
The Challenge
Due to security restrictions, we couldn’t rely on our usual arsenal of tools like smbclient (Linux) or Python-based utilities like Impacket. We needed a tool
that:
Could run natively in Windows environments.
Required no external dependencies.
Would blend in with legitimate administrative activities.
The Solution
Enter PowerShell. With its native integration into Windows systems and lack of dependency on third-party tools, it was the perfect choice for this engagement.
We built a custom PowerShell-based SMB scanner designed to:
Enumerate SMB shares across a list of hosts.
Test for read access to shares.
Search for sensitive files within accessible shares.
The scanner didn’t rely on external tools like Nmap for discovery, making it more versatile. (For users interested in running discovery with Nmap, we’ve included a separate script in our GitHub repository.)
Using the Scanner: A Walkthrough
To make the scanner more interactive and adaptable, we designed it to work in two phases:
Phase 1: Network Discovery (Optional)
For those who wish to identify hosts with SMB (port 445) enabled, an optional Nmap scan can be run to create a list of target IPs. This step is useful for larger networks although optional.
Phase 2: SMB Enumeration and Data Gathering
The main script accepts a list of IPs or hostnames and performs SMB enumeration, share access testing, and keyword-based file searches. All results are saved to organized text files for analysis.
The Script In Action
An example of the script in action is shown below:
1. Enumerating SMB Shares
The tool starts by probing each target host for SMB shares. If a share is discovered, it’s listed with its access permissions.
(See Figure 1 below for a snapshot of the tool identifying accessible shares.)
2. Testing Access
For each share, the script tests if the user has read access. This is where we often strike gold: shares with overly permissive settings.
(See Figure 2 for an example of shares with confirmed read access.)
3. Finding Sensitive Files
The script performs a recursive scan within accessible shares for files matching specific keywords or extensions (e.g., .pem , .xlsx , .txt ).
This uncovered:
Plaintext Credentials: Multiple Excel files containing administrative credentials.
Root Certificates: Certificates that could enable HTTPS interception.
SCADA System Data: Files containing information about the client’s operational technology network.
(See Figures 3–5 for real-world findings, redacted for client privacy.)
Why PowerShell?
The choice of PowerShell was deliberate. Unlike Python or Linux-based tools, PowerShell is:
Widely Available: Installed by default on all modern Windows systems.
Lightweight and Native: Requires no external libraries, ensuring compatibility even in heavily restricted environments.
Less Likely to Trigger Security Alerts: PowerShell scripts blend in with legitimate IT administrative activities.
This makes PowerShell particularly well-suited for engagements in environments where tools like Python or Nmap might be blocked.
Real-World Findings
During this engagement, our tool uncovered several significant issues:
Plaintext Credentials
We discovered multiple Excel files containing plaintext passwords for critical systems. This included administrative accounts for systems like Nagios XI, which allowed us to view and manage the client’s entire infrastructure. (See Figure 3.)
Root Certificates
A folder containing root certificates for the client’s internal domains was found on a share accessible to all employees. This introduced a severe risk of HTTPS interception or MITM attacks. (See Figure 4.)
SCADA System Access
Files related to the client’s SCADA(Supervisory Control and Data Acquisition) system were found, including diagrams and configurations. This exposed a major operational risk, as unauthorized access could have led to disruptions in factory operations. (See Figure 5.)
Protecting Against SMB Exploits: Recommendations
To secure your SMB shares and minimize risk, we recommend:
Regular SMB Audits: Regularly review all shares for permissions and access settings.
Least Privilege Principle: Grant access on a need-to-know basis. Avoid “Everyone” or “Domain Users” permissions unless absolutely necessary.
Use Strong Passwords: Avoid plaintext passwords and ensure sensitive credentials are stored securely.
Monitor SMB Activity: Use tools like Windows Event Logs or third-party solutions to track SMB activity for suspicious behavior.
Want to Try the Tool?
Interested in trying the SMB scanner yourself? Explore our GitHub repository for detailed instructions and code examples. The repository includes:
The PowerShell SMB Scanner script.
An optional Nmap discovery script for identifying SMB hosts.
Detailed usage instructions.
Conclusion
This red team engagement highlights the dangers of SMB misconfigurations and the importance of regular audits. By leveraging PowerShell, we adapted to the client’s restricted environment and demonstrated how a simple tool could lead to impactful findings.
Have questions or want to learn more? Share your thoughts in the comments or reach out to us directly!
Comments